Wireless Security: A HITECH GuideMitigating Risks With Encryption, Authentication, Training
When building a plan for compliance with the security and privacy provisions of the HITECH Act and HIPAA, organizations must develop specific strategies for mitigating the additional risks involved in using wireless technologies, Herold says.
In an interview (transcript below), she offers in-depth advice, including:
- Establish policies and procedures to address wireless network and device use.
- Offer extensive training on the policies and procedures to all wireless users and offer frequent updates.
- Create an inventory of all wireless devices in use, including staff members' personal devices that they use for work. "It's very important to know of everyone using a wireless device for any type of business activity, even if they're only using it for accessing e-mail, Herold says. Then make sure all appropriate security measures, including strong authentication,are in place for each type of device.
- Apply encryption extensively to internal wireless networks as well as devices.
- Make sure that independent contractors and staffers who use their own wireless networks at their home or office are taking full advantage of security technologies, including firewalls and encryption.
- Create a well-documented security incident response plan and train incident response team members on how to respond to lost or stolen wireless devices and other threats.
Herold, owner of Rebecca Herold & Associates, is known as the Privacy Professor. For more than two decades, she has specialized in information security privacy, security and compliance. She has served as an adviser to organizations in a number of industries, including healthcare.
Earlier, she was featured in an interview about encryption strategies.
HOWARD ANDERSON: How does the growing use of wireless networks and devices affect healthcare organizations' risk management strategies?
REBECCA HEROLD: Organizations need to think about how they are going to secure their wireless networks in addition to how they are going to make sure that all of their personnel who are likely using wireless devices know how to use them appropriately and establish controls over them. These risk management strategies now need to address not only just what they have within their facilities, but ... how to manage all the risks outside of their walls. ...
Securing Wireless NetworksANDERSON: As more hospitals and clinics implement wireless networks within their facilities, what are the most important steps they can take to ensure the security of information traversing those internal networks?
HEROLD: For managing risk, really there are some core actions and activities that organizations can take. They certainly need to make sure that they establish policies and procedures that are based on addressing the risks that are related to wireless use -- wireless networks and also the wireless devices. Then they need to make sure that those policies and procedures are communicated to everyone using the wireless networks and devices. They need to provide regular training about wireless security and privacy and also send out regular awareness communications.
Another important thing that often times I see organizations don't do, or don't do very effectively, is to actually know who is using wireless -- who is on the wireless networks, who has these wireless devices. There need to be inventories made so that the organizations know the personnel that are using wireless and then they can really establish safeguards around not only the wireless network itself, but also to ensure that those using the wireless devices have safeguards. One of the things they need to think about with regard to wireless is what kind of encryption are they going to use on the wireless networks, because if you're in a healthcare organization, you have a lot of very sensitive information that travels through the wireless networks. ... So you need to make sure that if you have this sensitive data flying through the air using the wireless network or on all of these many different types of wireless devices that the data is strongly encrypted so that others who may be able to see that network cannot see the data as they see the network using one of many different types of tracking tools that are available to actually scan for wireless networks.
You want to make sure that the organization's wireless networks have strong encryption, but also those networks used by any of their personnel that work outside of the office. There are growing numbers of people who work from their homes, and they have their own wireless networks there. So organizations need to make sure that they have those wireless networks appropriately secured too. They need to make sure that the personnel or contracted workers who are on wireless networks are using encryption that is at least at the WPA 2 level and that they are not using the older and more vulnerable WPA types of encryption or even the WEB encryption. There is still a lot of that out there as well. They need to make sure that the folks who have the wireless devices have firewalls that are implemented on them -- personal firewalls that are appropriately configured. ... Anyone who is using wireless routers in their homes to do work needs to make sure that they also have firewall routers so that neighbors or those driving by their homes can't just jump on to the network, and as a result, potentially jump on to the organizational network as well.
So there are many different types of activities that need to be done in order to protect not only the wireless network that the organization has established, but personnel's personal wireless networks in their homes. You also need to address how they are using public wireless networks when they are traveling, and then also how they have their wireless networks configured.
Wireless DevicesANDERSON: Some organizations are starting to enable clinicians to access certain clinical data via their smart phone or similar devices. What kinds of issues does that raise? And what is a good way to protect against malware targeting those mobile devices?
HEROLD: The wireless devices do bring with them some great benefits for healthcare, because they allow physicians and nurses and other clinicians to be able to more easily access data when they are with the patients or when they are doing their research. But again, policies and procedures for using those devices really need to be in place.
I am currently working with many different types of healthcare providers, and a lot of doctors and nurses who are using these wireless devices, and I have found that is not something that they often times are thinking about. Their first attention is going to the care of the patients. So there needs to be someone in the organization to make sure that all of those devices used for healthcare purposes are appropriately secured and to make sure that there are policies and procedures in place for them.
Then they need to make sure that all of those using the mobile devices, the physicians and nurses, receive effective targeted training and ongoing awareness. They need to make sure that they know how to use secure encrypted sessions through those wireless devices and that they are using personal firewalls and malware prevention software like you said. They need to understand what different types of phishing attempts look like so they won't see something coming across their wireless devices and go ahead and click on a link that takes them somewhere where malicious types of software can be loaded on to their devices, or that might prompt them to enter information that they shouldn't be entering that would then be used by someone else for malicious purposes.
This is all very important, not only to protect the patient information, but also to achieve compliance with a growing number of regulations, including HIPAA and the HITECH Act. One of the main things under HIPAA and now HITECH is the fact that you still need to make sure that only those who are authorized are able to access the protected health information. ... So making sure that those devices are appropriately secured is a very important thing to do, and having policies, procedures, training, awareness, and someone within the organization responsible for ensuring that all of this gets done is very important as well. And it also supports compliance with HIPAA, of course, by having someone assigned to this type of responsibility.
Role of Encryption, AuthenticationANDERSON: So what's the best way to make sure no patient information is accessible should a wireless device be lost or stolen?
HEROLD: Well ... the best way is just to say you can't have any sensitive information stored on these types of devices. But, of course, this is not going to be feasible for the ways in which these mobile devices are typically going to be used. So if you can't just prohibit it, then you need to make sure that your policies state what kind of wireless devices you need to have and then provide the tools to protect this data. Organizations need to make sure that they have encryption being used on all of these wireless devices. That they have strong authentication requirements in order to be able to not only get into the device to get to the data itself, but also to make sure that the device, if it is lost or stolen, cannot be used to get into the company's network to get to data beyond what is on that wireless device.
If a device is stolen or loss, you can disable the login credentials for the device and for the person -- the person's ID or account -- whichever is appropriate based upon the configuration and the wireless device. Also, there are remote device disable tools, such as the Blackberry Web Desktop Manager and there has been a freeware tool available for the past few years called Power Off that often has been used on some of the older types of systems. ... Those can be a big help if you have those implemented on wireless devices. These disable tools make it so that you just can't use the device at all. You can make sure that you can control it from a distance, from whoever the central administrator is. Windows XP came with a remote shut down tool and so does Windows 7. There are probably other operating systems that have this built into it as well.
Now another very important thing with regard to making sure no patient information is accessible if a loss or a theft occurs is to make sure that you have a documented incident response plan in place. Along with this documented response plan, you need to make sure that you have a trained incident response team and members who know how to best respond to a lost or stolen wireless device, as well as all other types of security incidents, for that matter. ... So there's not just one thing that organizations should do if something is lost or stolen; they need to do a variety of things. They need to have layers of security actions take place.
Comparing Wireless DevicesANDERSON: Finally, do smart phones and other wireless devices vary widely in their security capabilities, and how should one go about comparing and contrasting them and picking the right device?
HEROLD: Well there are so many different types of wireless devices now. There are all sizes, they are coming from all types of vendors and they do vary greatly. Each device has its own unique set of security features. Almost all of them provide some type of password access control, and most of them now provide some type of encryption. It all just really depends upon how the person who is using the device configures the device. This is why it's so important to know every person in the organization who is using a wireless device for any type of business activity, even if they're only using it for their e-mail. They still need to make sure that the wireless device is properly secured.
So the organization needs to document everyone who is using a wireless device. If possible, require only business-owned devices be used. This way, you can make sure that you know exactly what is being used. You can make sure that you have them all documented and then you can configure them to meet your organization's established and documented policies and security standards. ... Now if you cannot require all devices used to be those that are owned by your organization, then you need to document your wireless devices in an inventory --everyone who uses a wireless device along with the type of wireless device used. Then you need to make sure, based upon the type of device being used, that you provide training and ongoing awareness communications to those folks to help them understand the different features on their particular models of wireless device, then also help them remember how to set their security settings on the devices.
It's one of those things that is rather complex when you start talking about how people should secure the devices, because every day new devices come out with new types of features. So keeping track of what is out there is probably the most important thing. ... And that's one of the many tasks that I've included in what I've done to help different organizations and within my compliance helper tool. I provided a comprehensive set of policies, procedures and documentation forms that are necessary to really manage these types of HIPAA and HITECH compliance requirements and to track who is using what.
But at a minimum, you need to make sure that you have the password and a firewall. You need to make sure that you have encryption capabilities and remote disable features on those different types of devices. And at the core of a risk management program, which would include covering wireless networks and devices in particular, organizations need to establish a position or a person or a department to be responsible for the risk management program and then determine the risks involved with the wireless devices and the wireless networks through doing risk assessments. Then they should establish policies and supporting procedures and standards and document them to make sure that they know what they need to do address the risks. Then they should communicate those policies and procedures through training and ongoing awareness communications, and then implement the technologies based upon what devices they are using ... to mitigate these identified risks.